X509Certificate2 raises "The Smart card resource manager is not running" exception

Hi all,

Some time ago a customer of mine was getting a CryptographicException with message “The Smart card resource manager is not running” when using X509Certificate2 object in a Windows service. This was the call stack at the point of exception:


at System.Security.Cryptography.Utils.CreateProvHandle(CspParameters parameters, Boolean randomKeyContainer)   

at System.Security.Cryptography.Utils.GetKeyPairHelper(CspAlgorithmType keyType, CspParameters parameters, Boolean randomKeyContainer, Int32 dwKeySize, SafeProvHandle& safeProvHandle, SafeKeyHandle& safeKeyHandle)   

at System.Security.Cryptography.RSACryptoServiceProvider.GetKeyPair()   

at System.Security.Cryptography.RSACryptoServiceProvider..ctor(Int32 dwKeySize, CspParameters parameters, Boolean useDefaultKeySize)   

at System.Security.Cryptography.X509Certificates.X509Certificate2.get_PrivateKey()


The service was running as NETWORK SERVICE, and it worked fine when running as SYSTEM. Error happened on Windows 7, but everything worked fine on Windows XP.

The cause of the issue is that .NET is calling SCardEstablishContext API behind the scenes, and the user running the service doesn’t have enough permissions to run the API. More details on the issue and potential solutions can be found in this other post of mine: SCardEstablishContext fails with SCARD_E_NO_SERVICE error.

I hope this helps.



Alex (Alejandro Campos Magencio)

Comments (2)

  1. Henning says:

    Hi Alex,

    given the program below, I always get an "Access Denied" when calling OpenEvent or GetNamedSecurityInfo. I've tried by running as elevated administrator and a console session running under the SYSTEM account (using psexec). Any ideas why?

    If I call OpenEvent(0x00020000, true, "Global\Microsoft Smart Card Resource Manager Started"), I also get an Access Denied error.

    Kind regards,


    Here is the program:

    class Program

        [DllImport("Advapi32.dll", SetLastError = true, CharSet = CharSet.Unicode)]
        private static extern int GetNamedSecurityInfo(
            [In] string pObjectName,
            [In] int objectType,
            [In] int securityInfo,
            IntPtr ppsidOwner,
            IntPtr ppsidGroup,
            out IntPtr ppDacl,
            IntPtr ppSacl,
            out IntPtr ppSecurityDescriptor
        static void Main(string[] args)
                IntPtr dacl;
                IntPtr sd;
                var result = GetNamedSecurityInfo("Global\Microsoft Smart Card Resource Manager Started", 6, 4, IntPtr.Zero,
                                                  IntPtr.Zero, out dacl, IntPtr.Zero, out sd);
                if (result != 0)
                    throw new Win32Exception(Marshal.GetLastWin32Error());
            catch (Exception ex)
                Console.Out.WriteLine("ex = {0}", ex);
  2. alejacma says:

    Hi Henning, yes, I'm aware of the issue with that code. I was told yesterday and I'm currently working on it. Enabling "Allow service to interact with desktop" won't help either. So right now the only solution is to configure the service to run with any of the allowed accounts. I'll let you know if we can make that code to work.